System and method for providing user media

ABSTRACT

An identification system includes at least one user medium, which is equipped to store a derived key and authenticate itself using the same with respect to a write and/or read device. Furthermore, at least one key dispensing medium is present, which comprises a monolithic first integrated circuit having storage means and processor means, wherein the first integrated circuit is equipped to store a source key and derive therefrom the derived key and to pass it on for storage in the user medium, wherein the user medium is enabled neither directly nor by way of aids to read the source key from the key dispensing medium and/or the user medium is not enabled to calculate a derived key.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to the field of identification technology, as isused for security and data storage media systems, for example. Itrelates particularly to a system and a method for producing user mediain an identification system.

2. Description of Related Art

Identification systems (often the term “authentication system” would bemore correct) are used for different applications such as access control(in what are known as ‘online’ systems, in which an object for whichaccess is being controlled is in contact with a central unit, and in‘offline’ systems, in which this is not the case), prepaid card systems,data acquisition systems, etc.

Usually, the identification systems have user media—for example “SmartCards”—which are provided with a data memory which stores a suitableelectronic key. In application, data interchange takes place—usuallywithout physical contact—with a read and/or write device, wherein theelectronic key is used to perform an authentication process and thedesired action—for example the release of an object, the purchase of anitem or service, the writing of a piece of information to the usermedium, etc.—is performed successfully only if the electronic key isestablished to be correct in the read and/or write device or possibly inthe user medium, or the result of a computation operation on the basisof the key produces a desired value.

A frequently chosen approach is for the common electronic key to bestored on all user media and for the electronic key to be known to allread and/or write devices in a system. This is a good solution forsmall, straightforward systems. However, it makes no sense in largersystems, for if a medium or the key is lost and (possibly) reaches anunauthorized person, all elements of the system need to be reprogrammedwith a new key.

An alternative approach is to provide what is known as a “Site Key” or“Master Key” which is used as a basis for calculating the electronickeys. The electronic keys for the various media differ from each other,only the ‘Master Key’ is common. The ‘Master Key’ is never used foridentification, and it cannot be calculated from the keys.

This alternative approach makes it possible such that not all elementsof the system to have to be reprogrammed in the event of loss of amedium, but rather only particular applications which are affected bythe loss. However, some significant drawbacks remain as user media aregenerally initialized, and have information written to them, by acomputer which must contain the master key. This is a security riskbecause the whole system is endangered if the master key is copied. Forthis reason, media in such systems are issued by central certificationoffices—for example provided by the vendor of the entire identificationsystem—and these central certification offices never issue the masterkey. Although satisfactory security devices at the central certificationoffices warrant the required security to a certain extent, theprocurement of new media is complicated and—as a result of theinvolvement of the central certification office—also expensive.Furthermore, there is always the residual risk of abuse by personsworking at the certification office.

A system with a central certification office for applications in thebanking sector or the like is described in U.S. Pat. Nos. 4,811,393 and4,910,773, for example. In accordance with this teaching, ‘User Cards’(user media) are provided which are also in the form of security moduleswhose memory can be accessed only by the dedicated module processor, forexample. The user media are used to store a derived key (diversifiedkey) which has been determined from a base key. This system alsorequires a central certification office and is furthermore also costlybecause all user media need to be designed in hardware as securitymodules with appropriate processors and data memories.

BRIEF SUMMARY OF THE INVENTION

It is an object of the invention to provide approaches which remedy thissituation.

The present case provides an identification system comprising at leastone key dispenser medium with a first integrated circuit and at leastone user medium. The first integrated circuit comprises memory means andprocessor means which are preferably monolithically integrated. It isequipped to store a source key (“Site Key”) and to calculate keysderived therefrom, wherein the hardware of the key dispenser mediumpreferably does not allow the unencrypted source key to be read. Theuser medium may have a second integrated circuit and is equipped tostore a derived key and to perform an authentication process on thebasis of this derived key together with a read and/or write device.

The monolithic integration of the first integrated circuit, which,besides the memory for the source key, also contains the processor meansfor calculating the derived key, is advantageous in that no dataallowing calculation of the source key need to leave the integratedcircuit in order to calculate the derived key.

According to a first property of preferred embodiments of the invention,the read and/or write device has a third integrated circuit, which, likethe key dispenser medium, is equipped to store a source key (“Site Key”)and to calculate keys derived therefrom.

In this case, the hardware of the read and/or write device preferablydoes not allow the unencrypted source key to be read and, for example,also does not allow encrypted data comprising the source key to beissued, and/or, for example, also does not allow derived keys to beissued. The latter are calculated exclusively in order to perform theauthentication process together with the user media, which of coursealso comprises this derived key. However, provision may also be made forthe third integrated circuit to forward the derived key to anotherelement of the read and/or write device, which then, for its part,performs the authentication process with the user medium.

With particular preference, the third integrated circuit is ofphysically identical design to the first integrated circuit and differstherefrom only in that it is configured differently.

In line with a second property of preferred embodiments of theinvention, the key dispenser medium and the user medium are now ofphysically different design such that the user medium is able to readthe source key or ascertain it in another way neither directly nor usingmeans (for example an interposed computer) and/or that the user mediumis unable to calculate a derived key.

By way of example, the first integrated circuit and the secondintegrated circuit may be designed with such different hardware that thefirst integrated circuit is able to perform operations (calculationsetc.) which the second integrated circuit is not at all able to perform.

This approach has the important advantage that holders of user mediacannot turn them into a key dispenser, not even by means of illegalactions. The key dispensers can be kept in a small number and inspectedat any time.

In some embodiments of the invention, the identification system has atleast two different communication channels which are fundamentallydistinguished by the physics of the signal transmission and/or by theprotocols used. Thus, by way of example, provision may be made for thekey dispenser media to be able to be read exclusively in a contact-basedfashion, while the communication between user media and read and/orwrite device is effected contactlessly, for example by means of radiofrequency waves (RFID) or other electromagnetic waves, inductively orcapacitively/resistively. The use of electromagnetic waves for the datainterchange both with the key dispenser media and with the user media,but using different frequencies and/or different protocols, is alsoconceivable.

Preferably, identification systems based on these embodiments aredesigned such that user media have different data interchange interfacesthan the key dispensers, i.e. the different communication channels meanthat the user media cannot read data which are sent by key dispensermedia on at least one available communication channel.

The approach in line with these embodiments enhances advantages whichare obtained on the basis of the second advantageous property.

In line with a third property of preferred embodiments of the invention,the key dispenser medium is capable of decrypting and storing anencrypted source key provided by another key dispenser medium, and ofencrypting the source key for forwarding to another key dispensermedium. This allows the key dispenser medium to duplicate a keydispenser (in this case a ‘Key Dispenser’ refers to a key dispensermedium with a source key stored thereon) onto a ‘Blank’ key dispensermedium.

In the approach based on the third property, the source key is issuedonly in encrypted form and, by way of example, only after a furthersecurity element, for example a PIN, has been input. Alternatively or inaddition, the further security element required may be the forwarding ofa (for example encrypted) specific code (uniqueness number of the like)for the key dispenser medium that is to have information written to it.By way of example, this specific code is requested at the start of theprocess by the key dispenser medium that is to have information writtento it. This additional security feature has the advantage that anabusively stored data packet with the encrypted source key cannot alsobe used to generate further key dispensers. The security feature may berequired for all first processor means and possibly also for the thirdprocessor means, for example provided that they can have informationwritten to them online, or else only for a selection of processor means.

For the purpose of the encryption, the key dispenser media may beprovided, during manufacture, with a security key which is not known tothe operator of the identification system (a separate security key maybe provided for each operator, or the security key may be identical fora plurality of operators or even for each operator without securityproblems arising therefrom). The security key is used for decrypting—andin the case of symmetrical encryption, also for encrypting—the sourcekey and is integrated in the first integrated circuit such that it cannever be issued. As an alternative, it is also possible for asymmetricencryption to be provided, wherein at least the key required fordecryption is a security key which is known only to the security chip.

For example, provision may be made—such an approach is known per se—forthe security key not to be known to a single individual, but rather forit to be obtained from a combination of different key elements which areknown to different persons/groups of persons.

With particular preference, the source key can be generated by the keydispenser medium itself.

All in all, the opportunity arises for an operator of the identificationsystem to initialize the user media himself and to provide them with(derived) keys without having them produced by a central unit withappropriate security devices. Nevertheless, security is not adverselyeffected in comparison with existing systems, which will be explained inmore detail in the description which follows. The user is also able togenerate and manage a plurality of key dispenser media, which isadvantageous when one of the media fails or is lost.

In line with one preferred refinement of embodiments with the thirdproperty, there may be two different types of key dispenser media. Afirst type of key dispenser media is capable of producing further keydispensers by means of duplication. Although a second type of keydispenser media—also called “reduced key dispenser medium” in thistext—is able to derive derived keys from the source key—and possibly toinitialize read and/or write devices as described below—it is unable toproduce any other key dispensers.

In line with a first variant, this is accomplished by providing dataproduced by the first/second type of key dispenser medium with differentdesignations. The integrated circuits of both types of key dispensermedia disallow the storage of a source key if the data contained (inencrypted form) in the source key come from a reduced key dispensermedium. This can be prompted by appropriate configuration of the firstintegrated circuit.

In line with a second variant, the second type of key dispenser media istotally incapable of issuing the source key (in encrypted form).

The distinction between the first and second key dispensers allows finergradation of authorizations by the operator.

The use of reduced key dispensers in line with the first variant isfurthermore appropriate particularly when the encrypted source key issent via a data line or a network, as described below. In that case, aperson intercepting the data line without authorization is unable togenerate a key dispenser from the encrypted source key even if a keydispenser medium blank is present.

In embodiments of the invention with a fourth advantageous property, anidentification system can be set up such that the operator of the systemis able to generate keys for daily use on user media himself. There are,thus, two mutually independent instances which contribute to producingthe keys in use:

-   -   the manufacturer of the identification system who provides the        media (key dispenser media/user media/read and/or write        devices), with security features therein, and    -   the operator himself, who can generate the keys used entirely        independently of the manufacturer.

In comparison with the prior art, this is more secure, since even agroup of persons working for the manufacturer can never obtain allsecurity features, since the keys themselves are produced by theoperator. Furthermore, the approach is also less complex and sometimesless costly for the operator, since he is able to set up the entiresystem himself and also reconfigure it again if adjustments arenecessary.

In embodiments with the fourth property, the operator is issued a set ofparts, for example, which comprises at least one key dispensermedium—which preferably has the ability to generate the source keyitself and is delivered as a key dispenser medium blank—and a pluralityof user media, likewise without a key (or with a temporary key which isset up at the factory). The set preferably also includes an instructionwhich explains how the operator himself can generate source keys, derivederived keys therefrom and possibly duplicate key dispensers.

While each of the above advantageous properties can be implemented onits own on an identification system according to the invention,combinations of the above advantageous properties, which synergisticallycontribute together to increased security, to compatibility withexisting identification technologies and to ease of handling by theoperator, are particularly preferred, as can be seen more specificallyfrom the explanations which follow and from the description of theexemplary embodiments. Arbitrary combinations of two, three or all fourof the advantageous properties are part of the teaching according to theinvention; quite particular preference is given to a combination of allfour properties.

The statements which follow can—unless indicated otherwise—be applied toall properties and combinations of properties.

The key dispensers contain the source key and are set up to calculate aderived key from the source key and further parameters (for example auniqueness number and/or an application index) and to issue said derivedkey. The key dispensers are provided as ‘Masters’ only to a restrictedcircle of users, for example only to a system responsibility holder.Furthermore, the key dispensers—or the first integrated circuitsthereon—may be set up such that they make the issue of the encryptedsource key and/or the issue of a derived key dependent on the input ofan identification code (for example PIN). If an improper code is inputmultiple times, there may be provision for an automatic “reset”, forexample including the source key being deleted or rendered inaccessible.The first integrated circuits are monolithic in the sense that memorymeans and processor means are integrated in a common chip, and there areno data lines between the memory and the processor which are accessiblewithout destroying the chip.

The first—and possibly also the third integrated circuit—may be in theform of a security chip, for example, which has both the memory meansand the processor means. Security chips which output (certain) data onlyin encrypted form and which also render ‘Reverse Engineering’ at leastmore difficult are already known in principle. The first and possiblythe third integrated circuits additionally have means, for example, onthe basis of the source key and use further data (for example auniqueness number and/or an application index) to calculate a derivedkey. Furthermore, the first integrated circuit can issue this derivedkey—possibly in encrypted form.

The key dispenser media may physically be in the form of chip cards,dongles, chip sets which are or can be integrated into a data processingappliance (slot etc.), etc. The physical form is not significant to theinvention, and the monolithic integration of the memory containing thesource key with the processor means which encrypt the latter andcalculate the derived keys in a single chip is preferred in all cases.

The second media are user media. They contain a derived key calculatedby a key dispenser. They are furthermore equipped to interchange datawith a read and/or write device on a—preferably contactless—route and toperform an authentication process. By way of example, the datainterchange between user media and a read and/or write device can beeffected using radio frequency (RF) signals. In this case, an inherentlyknown technology can be used, at the time of writing the present textfor example Mifare® (a system based on ISO 14443A which is offered indifferent variants, including “Mifare Classic” and “Mifare DESfire”), orelse FeliCa (ISO 18092), another system based on ISO 14443A, a systembased on ISO 14443B, etc. In principle, it is possible to use anytechnology which allows the authentication of user media and of a readand/or write device using contactless or else contact-based datatransmission. As is also explained in more detail below, an advantage ofthe identification system according to the invention is that a goodsecurity standard is provided which is independent of the built-insecurities of the data transmission technology. The method steps whichtake place during the authentication are usually defined by thetechnology used (for example “Mifare Classic”). They may be based on thechallenge-response method or on other approaches and are in some casesproprietary and not known; the invention works regardless of whether theauthentication is performed using known or secret algorithms. Theapproach according to the invention merely provides the—derived—key; theway in which this is used for the authentication is of no significanceto the invention.

The physical form of the user media may be any form which is known fromthe prior art, for example as a chip card (with an RFID chip—in thisform also called an RFID ‘Tag’—or other chip), as an RFID tag integratedin another medium (clock, mobile telephone, etc.), as a chipincorporated into a key, etc. New, alternative forms are alsoconceivable.

For the authentication, the read and/or write devices are thecounterpart of the user media. The third integrated circuit is possiblyable to calculate the possibly specific application key of the usermedium, for example initially from parameters provided by the usermedium (for example the uniqueness number and/or the application index).To this end, the third integrated circuit is then set up, for examplelike the first integrated circuit, to perform a calculation from thesource key and these parameters using the same algorithm—for example ahash algorithm—as the first integrated circuit. The third integratedcircuit is also preferably monolithic in the sense that memory means andprocessing means are integrated in a common chip, and there are no datalines between memory and processor which are accessible withoutdestroying the chip. The third integrated circuit may have the physicaldesign of the first integrated circuit, but the configuration ispreferably chosen such that issue of the source key even in encryptedform is not possible, or that a key issued by a third integrated circuitis not adopted by a first or third integrated circuit.

The read and/or write devices may outwardly be designed like known readand/or write devices (for example from Mifare applications), wherein, incontrast to the known read and/or write devices, said third integratedcircuit is present, which calculates the key required for theauthentication.

The approach in accordance with the various embodiments of the inventionhas the following advantages: the ‘Secret’ of the identification systemis the source key. The hardware of all elements in the system is set upsuch that the source key is not issued by any component of the system inunencrypted form. The source key may have been stored only by a first orpossibly a third integrated circuit, and only a first or thirdintegrated circuit is able to store the source key (system-externalmedia are totally unable to decrypt the key, even if it is available tothem in encrypted form). The first and third integrated circuits may bein the form of chips, for example security chips, produced/configuredspecifically for the application. This, in turn, allows the thirdintegrated circuits to be configured such that they do not issue thesource key or a derived key under any circumstances, not even inencrypted form. It is thus possible to use the design of the first andpossibly third integrated circuit to ensure that only the key dispensermedia can act as key dispensers, and only the key dispenser media cangenerate further key dispenser media by forwarding the encrypted sourcekey.

As a result, the forwarding of the source key and the production ofderived keys can be controlled perfectly. Only someone who is physicallyin possession of a key dispenser medium is able to generate applicationskeys and possibly create further key dispenser media—regardless of thedesign of the second media, and what means (computer with Smart CardReader (RFID write module, etc.) are used to write information thereto.

The key dispenser medium is not needed in the everyday operation of theidentification system, however, and can be stored securely and inseclusion, for example in a safe (physical security).

Provided that the source key can be generated by the operator, it doesnot need to be known to the manufacturer (system provider). The securitykey is known at most to the manufacturer, and by way of example tonobody. The security chips used can be produced only by themanufacturer. All in all, a very secure system is obtained whichprovides good protection against abuse.

BRIEF DESCRIPTION OF THE DRAWINGS

Properties and exemplary embodiments of the invention are discussedbelow with reference to schematic figures, in which:

FIG. 1 shows a scheme for the initialization of components of anembodiment of an identification system according to the invention;

FIG. 2 shows a scheme for the interchange of information in theembodiment shown in FIG. 1 during daily operation;

FIGS. 3 a-3 e show possible physical forms of a key dispenser medium;

FIG. 4 shows a form of a user medium;

FIGS. 5 a and 5 b show elements of various embodiments of a read and/orwrite unit;

FIG. 6 shows a form of an auxiliary medium for transferring the sourcekey to an offline read and/or write unit; and

FIG. 7 shows a schematic illustration of components of an identificationsystem according to the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIGS. 1 and 2 schematically show components of an identification systemaccording to the invention. These components may be physically in theform of chips or ‘Tags’ of the type mentioned above, or may have suchchips. In addition to the outlined data memory means and data processingmeans, there are generally further means which prompt the actual datainterchange, for example antennas, amplifier means (which apply a signalto an antenna) etc., or else contact areas, etc. Since the precise formof these further means is not relevant to the invention, it is notdiscussed further at this juncture.

As FIG. 1 shows, a key dispenser medium 1 holds a source key 11 and asecurity key 12. The security key 12 is used to encrypt the source key;it can never be read from the key dispenser medium. The source key isstored in a writeable, for example nonvolatile, memory of the keydispenser medium. The internal wiring of the key dispenser medium doesnot allow the source key 11 to be read off externally, and the wiringand/or the firmware of the key dispenser medium does not allow thesource key 11 to be issued without encryption. Besides means forencrypting the source key 11 with the security key 12, the key dispensermedium has further data processing means 14 for calculating a derivedkey 13 from the source key and further parameters 15, such as theuniqueness number and/or an application number, etc.

Besides a (preferably writeable, non-volatile) memory 15 with auniqueness number, application number and/or other, for exampleapplication-dependent, data, the user medium 12 also has a memorylocation for a derived key. The user medium may be designed andconfigured in the manner of inherently known user media fromidentification systems, for example, and the relevant data processingmeans, for example for encrypting data with the derived key, may also beimplanted.

In a similar manner to the key dispenser medium, the electronics moduleof the read and/or write device 3 has a security key 12 and memorylocations for the source key 11 and also data processing means 14 forcalculating a derived key 13 on the basis of the source key 11 andfurther parameters 15 such as the uniqueness number and/or anapplication number, etc. Before the identification system isinitialized, the user is provided with at least one key dispenser medium1 (preferably a plurality of key dispenser media) and a plurality ofsecond media 2, and read and/or write devices are provided with thirdintegrated circuits. The key dispenser media and the third integratedcircuits are already provided with the security key; the security key isnot disclosed to the user. All media and all read and/or write devicesare in a basic state, in which they have no source or derived keys, forexample, apart from possible temporary keys which are prescribed duringmanufacture and which cannot ensure the entire security.

The initialization of the identification system may involve thefollowing method steps taking place:

First of all, upon initialization by the user, the source key 11 can beascertained in a key dispenser medium, for example as a random number,for example having at least 64 bits, preferably at least 128 bits,particularly preferably at least 256 bits. This turns the medium into akey dispenser (master).

The key dispenser (the initialized key dispenser medium) can thenoptionally be duplicated by writing to a further key dispenser medium.It is advantageous if the user has at least one duplicate of the keydispenser so that it can continue to operate and service theidentification system in the event of a key dispenser being lost orfaulty.

In the case of the duplication process too, the source key never leavesthe key dispenser medium in unencrypted form, but rather in a formencrypted with the security key 12. The target medium 1′ onto which thekey dispenser is duplicated likewise has the security key 12 and candecrypt the security key 12 and store it in the provided memory.

The key dispenser 1 can also be used to initialize the read and/or writedevice 3 with the third integrated circuit. For this purpose, as FIG. 1shows, the source key 11 is likewise read into the memory provided forthis purpose. In the presence of the key dispenser, the read and/orwrite device can also be programmed with regard to functions, access orentry rights, etc., by a programming appliance which is provided forthis purpose.

The issue of the source keys by the master may be linked to a furthersecurity element, for example the input of a PIN. For this purpose, thekey dispenser medium and also the read and/or write device may havemeans for reading in such a PIN (or the like) which have been input bythe user using a suitable input means—for example a computer, via whichthe key dispenser medium is connected by means of card reader orinterface, or a programming appliance which can contact a read and/orwrite device contactlessly—or have been read in by suitable means; thisalso includes the possibility of requesting biometric data.

A user medium 2 is initialized by calculating the derived key 13 usingthe parameters 15—which have been provided by the user medium 2beforehand, for example—in the key dispenser medium 1. Subsequent to thecalculation, the derived key 13 is stored in the memory locationprovided for this purpose in the user medium.

In use, as FIG. 2 shows, a communication link is set up between the usermedium and the electronics module 3 of the read and/or write device.First of all, the user medium-specific parameters 15 are transmitted tothe third integrated circuit 3, as a result of which the latter iscapable of calculating the derived key 13 from the source key 11 andthese parameters 15. The derived key does not need to be storedpermanently (even if permanent storage of the derived key is an option),but rather can be calculated afresh for every data interchange with auser medium.

As soon as the user medium 2 and the third integrated circuit of theread and/or write device 3 are in possession of the (identical) derivedkey 13, the authentication process can take place, and read and/or writeprocesses can take place on the memory means of the user medium 1 and/oron the memory means of the read and/or write device. The datainterchange taking place during the authentication process—said datainterchange may be based on the challenge-response principle or onanother principle—can be performed in a manner which is known per sefrom the prior art. By way of example, it is possible for a known,proprietary or standardized protocol to be used. One of the strengths ofthe invention is that the security features and practical advantages ofthe approach according to the invention are independent of the protocolsused for the authentication and for the data interchange and that it istherefore possible to use any suitable protocols. Sometimes, the personswith the user medium 2 do not need to be aware at all that theidentification system differs from the art (for example “MifareClassic”) by virtue of additional security features.

FIGS. 3 a to 6 show possible physical forms of and media and electronicsmodules from the components of identification systems according to theinvention. However, the implementation of a system according to theinvention is not dependent on the components used. It is possible to usemedia/modules which are in a form other than the media/modules shown;FIGS. 3 a to 6 merely show a few possible examples.

The key dispenser medium 1 shown in FIG. 3 a is in the form of a “SmartCard” (chip card) 31 with a chip 32. The chip 32 is a security chip ofthe type mentioned which incorporates both memory means and processormeans in a monolithic design. The data interchange described above iseffected using a, by way of example, conventional chip card reader. Byway of example, such a chip card reader may be connected to a computerwhich performs the data interchange. On the basis of the approach inaccordance with various embodiments of the invention, a source key 11will at no time be located in unencrypted form in a data memory of thecomputer. The computer may have an RFID reader and writer connected toit at the same time as the chip card reader, which means that the datainterchange shown in FIG. 1 between the key dispenser medium 1 and theuser medium 2 can be performed directly, online. However, it is alsoconceivable for the data interchange to be performed with a time offset,by calculating and reading a plurality of derived keys 13, for example,together with the parameters 15 into the computer and subsequentlyinitializing a plurality of user media.

The chip card 31 shown in FIG. 3 b, which can likewise be used as a keydispenser medium, differs from that shown in FIG. 3 a in that it has aradio frequency antenna 33 in a direct communication link to the chip32. When the chip 32 is supplied with current, it can use this antennato interchange data directly with an RFID medium, for example with auser medium 2 in the form of an RFID chip or with an offline read and/orwrite unit, the (for example only) communication interface of which isan RFID communication interface.

The chip card shown in FIG. 3 c also has, in addition to the chip 32, anRFID chip 34 with an RFID antenna 35. This RFID chip 34 can have theencrypted source key 11 written to it online (while the chip card isconnected to a computer for the purpose of communication), for example.Said RFID chip then transmits the encrypted source key 11 to an offlineread and/or write unit, the (for example only) communication interfaceof which is an RFID communication interface. The functionality of thechip card 31 shown in FIG. 3 c is thus very similar to that shown inFIG. 3 b.

FIG. 3 d shows the key dispenser medium 1 as a USB dongle 36. The dongleincorporates the security chip, which may be physically identical to thechip 32 of the chip cards. The functionality of the key dispenser mediumshown in FIG. 3 d is identical to that of the key dispenser medium shownin FIG. 3 a, but with no chip card reader being required. Instead of aUSB interface, such a dongle may naturally also have another interface.

FIG. 3 e shows a security chip 32 which is mounted directly on a printedcircuit board 37 and is contact-connected by the latter, such a printedcircuit board possibly being in the form of a plug-in card for acomputer, for example. It is also conceivable for the security chip 32to be mounted onto an already existing board in a computer.

An identification system in accordance with the invention may have onlykey dispenser media 1 which are in the same form, or any combinationsare conceivable. However, it is preferred for the security chip to be ofrespectively identical design and functionality even in the case ofdifferent media, that is to say for the different media to differ onlyin terms of how the data interchange with the chip takes place.

FIG. 4 shows a possible user medium 2. This is in the form of a chipcard 41 with an RFID chip 42 having an RFID antenna 43. Instead of on achip card, the RFID chip and the RFID antenna may also be on anothersupport, for example integrated in an appliance with yet other functions(mobile telephone, clock, etc.), on a chip card cover, etc.

FIG. 5 a schematically shows an electronics module for a read and/orwrite device 3. In addition to a chip 52, which is in the form of asecurity chip such as that of a key dispenser medium (but, as mentioned,with a slightly different configuration), and an RFID antenna 53 for thedata interchange with a user medium, the read and/or write device 3 alsohas an interface 54 for the data interchange with a control center. Theread and/or write device shown in FIG. 5 a is accordingly an example ofa read and/or write device which is suitable for an ‘online’ read and/orwrite device which can be initialized and programmed form the controlcenter. At least for the initialization, and preferably also for theprogramming, the control center will have a key dispenser medium whichis connected to a computer in the control center for the purpose ofcommunication, for example. For the initialization, the encrypted sourcekey is sent to the chip 52 via data lines and via the interface 54, forexample.

The read and/or write device 3 from FIG. 5 b differs from that in FIG. 5a in that there is no interface. The read and/or write device issuitable for an ‘offline’ read and/or write device and needs to beinitialized and possibly programmed by means of RFID data interchange,for example using an appropriate RFID programming appliance with a chipcard reader in conjunction with a key dispenser medium as shown in FIG.3 a, or using a key dispenser medium as shown in FIG. 3 b or 3 c. As afurther alternative, an auxiliary medium can be used for this purpose,as is described below.

FIG. 6 shows an auxiliary medium 61 which may physically be in a formsuch as a user medium and does not necessarily differ therefrom. Theauxiliary medium 61 is used for transmitting a (encrypted) source key 11to an ‘offline’ read and/or write device and at the outside—depending onthe configuration of the identification system and security demands forthe programming of the read and/or write devices—also for theauthentication to such an identification system for programming the readand/or write device. By way of example, such an auxiliary medium 61 canhave information written to it by a computer which is connected to a keydispenser medium for the purpose of communication.

For all the media described, it is true that other communicationchannels can be used instead of or in addition to RFID technology, forexample infrared, Bluetooth or other contactless interfaces,contact-based signal transmission, the capacitive-resistive coupling,etc.

FIG. 7 is also used to show elements of a possible form of anidentification system in accordance with the invention and to explain afew steps relating to the operation thereof. A control center, forexample equipped with at least one suitable computer 72, of the operatorof the identification system receives from the manufacturer at least onekey dispenser medium 1 and, by way of example, at least one reduced keydispenser medium 71. Suitable means—in this case a chip card reader 73connected to the computer—can be used to start the initializationprocess in a key dispenser medium and to produce a source key. The keydispenser medium provided with the source key in this manner becomes thefirst key dispenser. The computer, which can buffer-store the source keyprovided by the first key dispenser and encrypted with the preinstalledsecurity key and can transmit it to other key dispenser media, ispossibly used to produce further key dispensers and, by way of example,also to provide a reduced key dispenser medium with the source key. Thepresence of the encrypted source key in a computer buffer store is not asecurity risk, since it can be decrypted only by the key dispenser mediaand by the read and/or write devices. Preferably, the key dispensermedia are additionally set up such that they issue the encrypted sourcekey and possibly also derived keys only after a PIN has been input; ifan incorrect PIN has been input multiple times, a key dispenser mediumis automatically reset to the basic state, and the source key is deletedor rendered inaccessible. In addition or as an alternative, the datapacket stored on the computer with the encrypted source key may alsoadditionally have the—for example encrypted—uniqueness number of the keydispenser medium that is to have information written to it, and the keydispenser medium can have information written to it only in the event ofconsistency.

The first key dispenser or one of the further produced key dispensers orreduced key dispensers subsequently generates derived keys for the usermedia 2. For this purpose, either the uniqueness number and/orapplication number is read from the user media already providedtherewith—this is done using an RFID read and write unit 74, which islikewise connected to the computer—or the application number and/orpossibly also the uniqueness number is generated by the computer and isloaded onto the user media only during the initialization process. It isalso possible for a plurality of application numbers with a respectivederived key to be stored on a medium so that the user medium can performa plurality of functions.

The derived key is read from the key dispenser by the computerand—possibly together with the application number and/or possibly theuniqueness number—loaded onto the integrated circuit (for example RFIDchip) of the relevant user medium.

At the same time, beforehand or afterwards, the read and/or writedevices are initialized. As examples of read and/or write devices, FIG.7 schematically shows a security door 76 connected to the control centervia a data line online, a data collection terminal 77 which is likewiseconnected to the control center online, a second security door, whichcan be contacted via the internet 81 and is located in a differentbuilding/building complex than the control center, a (“offline”) door 79which cannot be programmed via data lines from the control center, and achip card reader 84, which in this case likewise cannot be contactedfrom the control center using data lines and which is connected to acomputer 83.

For the initialization, the source keys are transmitted (in encryptedform) to the read and/or write devices via data lines (for 76-78) or(for 79 and 84) via an auxiliary medium 61, an RFID-compatible keydispenser, using an RFID-compatible chip card reader or via a suitableother interface of the read and/or write device. At the same time orsubsequently, they are programmed by allocating appropriateauthorizations (on the basis of application number and/or uniquenessnumber, on the basis of time, etc.), for example. The programming can bedone online using the relevant data lines (for 76-78) or (for 79 andpossibly 84) using a programming appliance 80. The read and/or writedevices can also be reprogrammed at a later time at any time, a possibleprerequisite for the reprogramming being the presence of a key dispenserand/or the input of security features (programming PIN etc.); in theformer case, the read and/or write device requests the source key beforeit changes to a programming mode, for example. Instead of or at the sametime as reprogramming, it is naturally also possible for data stored inthe read and/or write device to be requested.

The PC 83 with chip card reader 84 is an example of the use of theinvention for controlling access to a virtual entry point for a computeror computer network. In this case, the security chip may be in the chipcard reader or in the computer (network) and authorize the access to thecomputer (network) as a whole or for particular applications; it goeswithout saying that it is also possible for the control center to beprogrammed via data lines, as in the case of the ‘online’ applicationsdescribed above.

Following the initialization, the key dispensers—which are preferablyall registered—are stored at a secure location, for example in a safewhich is accessible only to a restricted group of people. If a keydispenser goes astray or there is another security gap, the read and/orwrite devices and the available (or recently delivered) key dispensermedia are put into the basic state and reinitialized without the needfor components to be interchanged. A prerequisite for the resetting ofthe read and/or write devices to the basic state is preferably thepresence of at least one working key dispenser, i.e. so long as there isstill one working key dispenser, reinitialization is possible at anytime.

In addition to the read and/or write devices shown in FIG. 7, there mayalso be other read and/or write devices, for example with otherfunctions, such as appliances for deregistering or loading the usermedia as value cards, etc. A special category of read and/or writedevices are devices which do not have a third integrated circuit,therefore do not know the source key and are, for example, provided witha fixed application key. The security for transactions with such readand/or write devices is not as high, since manipulation by anunauthorized party can barely be controlled once the application key hasbeen copied. Provision is therefore preferably made for special readand/or write devices of this kind to be able to be used only in securedspaces and/or for them to be able to read data only and the user mediawhich do not allow the writing of data from such read and/or writedevices. One possible application of such special read and/or writedevices is time recording.

In line with one possible variant for the approach described above, thesource key can, upon issue, also be encrypted asymmetrically instead ofsymmetrically with the security key. In that case, at least thedecrypting key should be proprietary and known only to the first andthird integrated circuits. Preferably, however, the encrypting key isalso proprietary and known only to the relevant circuits so that an‘incorrect’ key dispenser would be recognized if reprogramming of theread and/or write devices were attempted.

As a further variant, the process of duplicating a master can also takeplace via a data line at the same time.

The invention claimed is:
 1. An identification system comprising: atleast one user medium; wherein the medium is equipped to store a derivedkey and to use the derived key to authenticate itself to a read and/orwrite device, the identification system further comprising a first keydispenser medium which contains a monolithic first integrated circuitwith memory means and processor means, wherein the first integratedcircuit is equipped to decrypt and store an encrypted source key,wherein the first integrated circuit is equipped to derive the derivedkey from the source key and to forward said derived key for storage inthe user medium, the identification system further comprising anotherkey dispenser medium containing another monolithic first integratedcircuit with memory means and processor means, wherein the firstintegrated circuit of the first key dispenser medium is equipped toencrypt the source key for forwarding to the other key dispenser medium,and wherein said other key dispenser medium is a reduced key dispensermedium which is capable of deriving the derived key from the source keyand of forwarding it for storage in the user medium, and which is notcapable of providing the source key in such an encrypted form that itcan be decrypted and stored by yet another key dispenser medium orreduced key dispenser medium.
 2. The identification system as claimed inclaim 1, further comprising at least one read and/or write device,wherein the user medium and the read and/or write device are capable ofperforming an authentication process through data interchange, andwherein the read and/or write device comprises a monolithic thirdintegrated circuit which is capable of storing the source key and ofderiving the derived key therefrom.
 3. The identification system asclaimed in claim 2, wherein the first integrated circuit and the thirdintegrated circuit are identical to one another apart from aconfiguration.
 4. The identification system as claimed in claim 2,wherein the read and/or write device or at least one of the read and/orwrite devices is connected to a control center via a data line.
 5. Theidentification system as claimed in claim 2, wherein the read and/orwrite device or at least one of the read and/or write devices is an“offline” read and/or write device and can be programmed by aprogramming appliance, wherein a prerequisite for at least oneinitialization of the read and/or write device is the presence of anencrypted source key provided by the key dispenser medium.
 6. Theidentification system as claimed in claim 2, wherein the thirdintegrated circuit is equipped to decrypt and store an encrypted sourcekey provided by either key dispenser medium.
 7. The identificationsystem as claimed in claim 6, wherein every key dispenser mediumcontains a security key which can decrypt a key provided in encryptedform by another key dispenser medium, wherein the third integratedcircuit comprises the security key.
 8. The identification system asclaimed in claim 1, wherein the user medium is not capable of readingthe source key from the key dispenser medium, either directly or byusing tools, and/or wherein the user medium is not capable ofcalculating a derived key.
 9. The identification system as claimed inclaim 8, wherein the derived key occurs on the basis of the source keyand a uniqueness number and/or an application number for the user mediumwith a mathematically preferably non-reversible algorithm.
 10. Theidentification system as claimed in claim 8, wherein the first keydispenser medium is capable of using a first interface to interchangedata with another medium and the user medium is capable of using asecond interface to interchange data with another medium, wherein thefirst and second interfaces are not compatible with one another.
 11. Theidentification system as claimed in claim 10, wherein the secondinterface is an interface for non-contact data interchange, for examplean RFID interface.
 12. The identification system as claimed in claim 1,wherein the user medium comprises an RFID chip which is capable ofstoring the derived key.
 13. The identification system as claimed inclaim 1, wherein each first integrated circuit is a chip which can beread in a contact based fashion.
 14. The identification system asclaimed in claim 1, wherein the source key is decrypted by an unreadablesecurity key which is present in every key dispenser medium.
 15. Theidentification system as claimed in claim 1, wherein the first keydispenser medium is capable of using an initialization process togenerate the source key itself.
 16. The identification system as claimedin claim 1, wherein the simultaneous forwarding of a code, which isspecific to the other key dispenser medium that is to have informationwritten to it, can be made a prerequisite for the forwarding of a sourcekey.
 17. The identification system as claimed in claim 1, wherein thefirst key dispenser medium is capable of generating the source keyitself.
 18. A method for installing an identification system having atleast one user medium which is equipped to use a derived key toauthenticate itself to a read and/or write device, and having at leastone key dispenser medium, comprising the following method steps: (a)issuing at least a first and a second key dispenser medium to anoperator of the identification system, wherein the first and second keydispenser media are equipped to store a source key and to derive keysderived therefrom, (b) issuing a plurality of user media without keys orwith identical keys to the operator, wherein the user media are capableof receiving and storing the derived key provided by the key dispensermedium, (c) generating, by the first key dispenser medium, the sourcekey, (d) encrypting, by the first key dispenser medium, the source key,and forwarding the encrypted source key to the second key dispensermedium, (e) deriving, by the second key dispenser medium, at least onederived key from the source key, and (f) transmitting the derived key toat least one of the user media for storing therein, wherein said secondkey dispenser medium is a reduced key dispenser medium which is capableof deriving the derived key from the source key and for forwarding itfor storage in the user medium, and which is not capable of providingthe source key in such an encrypted from that it can be decrypted by yetanother key dispenser medium or reduced key dispenser medium.
 19. Themethod as claimed in claim 18, wherein at the time of issue to theoperator, the at least one key dispenser medium has a security key andis capable of decrypting and storing an encrypted source key provided byanother key dispenser medium, and of encrypting the source key forforwarding to another key dispenser medium, and also of deriving thederived key from the source key and of forwarding it for storage in theuser medium.